Supply chain
Production Fontana deployments consume pre-built OCI images and a verified deploy bundle from your registry (typically GHCR). Application source code is compiled inside images in CI; production hosts pull artifacts only. That boundary supports SOC 2-aligned change management and vulnerability management without running build toolchains on customer data planes.
Artifact flow
Section titled “Artifact flow”CI (GitHub Actions, release branch only) → OCI images (immutable sha-<git> tags) → Deploy bundle (Helm chart, fontana CLI, rendered values, SHA256SUMS) → Trivy CRITICAL gate → Host pulls bundle + images via fontana CLIRelease artifacts are built only from the protected release branch after pull-request review and required status checks pass; feature-branch pushes run tests without publishing images or bundles.
Integrity controls
Section titled “Integrity controls”| Control | What you get |
|---|---|
| Immutable image tags | Deploys reference sha-<git> tags; branch tags are convenience only |
| Bundle checksums | SHA256SUMS in the deploy bundle; installer verifies before activating a release |
| Pinned upgrades | fontana tenant upgrade applies a specific bundle version; automatic snapshot before upgrade |
| Rollback | fontana rollback <tenant> <snapshot-id> restores data and release state |
| Artifact-only production hosts | Production hosts pull digest-pinned OCI images and the deploy bundle; no git or build toolchain on the data plane |
Vulnerability management
Section titled “Vulnerability management”CI runs Trivy against built images. CRITICAL findings fail the pipeline until remediated or explicitly waived under your change process. That gate is part of the SOC 2-aligned supply-chain control set documented for diligence.
Source dependencies are gated on the same pipeline:
pnpm auditfails the build on any high or critical advisory in the dependency tree- CodeQL static analysis runs on every push and pull request to the release branch
- Dependabot keeps lockfile and GitHub Actions dependencies current
- A public-function inventory diff fails the build when the backend API surface changes without a reviewed baseline update
Change control and audit trail
Section titled “Change control and audit trail”- Manual pinned releases on production hosts reference immutable
sha-<git>tags - Automatic full-stack snapshot before each tenant upgrade (release + data volumes)
- Terraform for host provisioning; durable platform changes reconcile through
fontana applyand infrastructure as code
Snapshot history on the host plus immutable GHCR tags form the deploy audit trail alongside application security audit in ImmuDB.
Related documentation
Section titled “Related documentation”- Fontana CLI - install, apply, upgrade, rollback commands
- Backup and restore - snapshots and recovery
- SOC 2 control summary - supply chain and change control rows
- Security and governance - diligence pack and certification posture